Two releases have been skipped for Mozilla Firefox and Microsoft Edge for some reason, so that the latest version available here only fixes the first issue (insecure internal communication). At the time of writing, this version is only available for Google Chrome however. The second vulnerability gave a DuckDuckGo server way more privileges than intended: a Cross-site Scripting (XSS) vulnerability in the extension allowed this server to execute arbitrary JavaScript code on any domain.īoth issues are resolved in DuckDuckGo Privacy Essentials 2021.2.3 and above. First of all, the extension used insecure communication channels for some internal communication, which, quite ironically, caused some data leakage across domain boundaries. I found some of the typical issues (mostly resolved since) but also two actual security vulnerabilities. A few months ago I looked into the inner workings of DuckDuckGo Privacy Essentials, a popular browser extension meant to protect the privacy of its users.
0 Comments
Leave a Reply. |